An organization may have a chain of entities that together provide some service to a user. Access to resources such as data, web pages, functional software operations, and the like needs to be limited to a set of known and authorized users. Various access control schemes have been developed to prevent unauthorized users and malicious attackers from gaining access to computer resources, including mechanisms used to authenticate the identity of a user who is attempting to access web resources. In particular, due to the increase in identity theft attacks (e.g., phishing, pharming), two-factor authentication is becoming popular.
Two-factor authentication (T-FA) is any authentication protocol that requires two different ways to establish identity and privileges. Common implementations of two-factor authentication use “something you know” (e.g., a password or personal identification number) as one of the factors, and use either “something you have” (e.g., a credit card or hardware token) or “something you are” (e.g., a fingerprint or retinal pattern) as the other factor. For example, smart cards are one of the methods for providing two-factor authentication. A smart card is an example of a hardware token and typically contains a microprocessor that is capable of executing various security operations such as performing cryptographic functions on provided data. A smart card usually holds one or more International Telecommunications Union (ITU-T) X.509 certificates (and their associated private keys) which can be used for protocols that require certificate-based authentication. SSL (Secure Socket Layer), TLS (Transport Layer Security), and Kerberos (with PKINIT, short for “Public Key Cryptography for Initial Authentication in Kerberos”) are all examples of such protocols.
A smart card is not required in order to use a certificate. Many devices (e.g., computers, mobile phones) are capable of storing and using certificates (and their associated private keys). For example, Windows Mobile 5.0 can use a certificate to authenticate to an Exchange 2003 SP2 server in order to synchronize email and calendar information (via the Exchange ActiveSync protocol which runs on top of SSL or TLS).
Protecting identity theft attacks upon the chain of entities of an organization's network, including for example, a gateway device on the edge of the network providing Web-based access to Web servers that are located on the organization's internal network (intranet), is critical.
Authentication Delegation is broadly defined as a case in which a client delegates authentication to a server, or more specifically, allowing a third-party authentication service (or gateway) that can access resources (or a server) to authenticate on behalf of a user (by essentially impersonating the user). The accessed server will base its authorization decisions upon the user's identity, rather than based upon the authentication service's account.
This Background is provided to introduce a brief context for the Summary and Detailed Description that follows. This Background is not intended to be an aid in determining the scope of the claimed subject matter nor be viewed as limiting the claimed subject matter to only those implementations that may solve any or all of the disadvantages or problems presented above.